[pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay

px at jack.fr.eu.org px at jack.fr.eu.org
Fri Apr 9 17:40:44 CEST 2021


Hello,

In Proxmox setup, there is no known serious issue

In contrary to "ttl security" (aka GTSM), multihop is not a security feature

I don't think there is a drawback to the proposed patch
However, disabling multihop when there is only one peer should also 
works, so your proposal shall work as well

As you wish :)

Best regards,

On 4/9/21 3:50 PM, alexandre derumier wrote:
> Hi,
> 
> any impact to enable it by default ?
> 
> if user have only 1 peer for example ?
> 
> maybe is is better to only enable it if we have more than 1 peer in the 
> group ?
> 
> and check that we use ebgp.
> 
> something like:
> 
> push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp && 
> scalar @peers > 1;
> 
> 
> On 09/04/2021 14:21, Alexandre Bruyelles wrote:
>> From: Alexandre Bruyelles <git at jack.fr.eu.org>
>>
>> Multihop is required when the bgpd are running across
>> a pair of MLAG routers.
>> In such scenario, TCP trafic from Proxmox to router A
>> may pass through router B, which will decrease the TTL.
>>
>> Signed-off-by: Alexandre Bruyelles <git at jack.fr.eu.org>
>> ---
>>   PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm 
>> b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> index e5d8490..69436a0 100644
>> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> @@ -85,6 +85,7 @@ sub generate_controller_config {
>>       push @controller_config, "neighbor BGP peer-group";
>>       push @controller_config, "neighbor BGP remote-as $remoteas";
>>       push @controller_config, "neighbor BGP bfd";
>> +    push @controller_config, "neighbor BGP ebgp-multihop 3";
>>       }
>>       # BGP peers




More information about the pve-devel mailing list